Problem Statement
No dependency vulnerability scanning exists in CI. Python dependencies (stellar-sdk, fastapi, sqlalchemy, aiohttp) may contain known CVEs. No Dependabot/Renovate config for automated updates.
Evidence
- No
pip-audit or safety step in .github/workflows/ci.yml
- No
.github/dependabot.yml configuration
.pre-commit-config.yaml: Only pylint — no dependency scanning
Impact
Medium — supply chain risk. Known-vulnerable dependencies deployed to production without detection. For a DeFi protocol, a vulnerable dependency (e.g., in crypto library) could be catastrophic.
Proposed Solution
Add pip-audit step to CI that fails on high-severity CVEs, warns on medium/low. Add Dependabot for weekly Python/Docker scans.
Acceptance Criteria
File Map
.github/workflows/ci.yml — add pip-audit step
.github/dependabot.yml — New: Dependabot configuration
Testing Strategy
- CI: Push PR, verify pip-audit runs; add vulnerable package version, verify build fails
Security Considerations
Automated CVE detection in CI is critical for supply chain security in a DeFi protocol.
Definition of Done
Labels: security, ci-cd
Priority: Low
Difficulty: Beginner
Estimated Effort: 1h
Problem Statement
No dependency vulnerability scanning exists in CI. Python dependencies (
stellar-sdk,fastapi,sqlalchemy,aiohttp) may contain known CVEs. No Dependabot/Renovate config for automated updates.Evidence
pip-auditorsafetystep in.github/workflows/ci.yml.github/dependabot.ymlconfiguration.pre-commit-config.yaml: Only pylint — no dependency scanningImpact
Medium — supply chain risk. Known-vulnerable dependencies deployed to production without detection. For a DeFi protocol, a vulnerable dependency (e.g., in crypto library) could be catastrophic.
Proposed Solution
Add
pip-auditstep to CI that fails on high-severity CVEs, warns on medium/low. Add Dependabot for weekly Python/Docker scans.Acceptance Criteria
pip-auditruns in CI on every PR afterpoetry installci.ymlFile Map
.github/workflows/ci.yml— addpip-auditstep.github/dependabot.yml— New: Dependabot configurationTesting Strategy
Security Considerations
Automated CVE detection in CI is critical for supply chain security in a DeFi protocol.
Definition of Done
Labels: security, ci-cd
Priority: Low
Difficulty: Beginner
Estimated Effort: 1h